Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

RA-VPN error: Duplicate Phase 1 packet detected

i've tried to set up a remote access vpn with both the wizard and then agian at the CLI, but to no avail.

Each time i get the same error,

Duplicate Phase 1 packet detected. Retransmitting last packet

I've tried different clients and also checked that :

sysopt connection permit-ipsec

is enabled.

though i haven't been able to run the:

debug crypto isakmp

due to it being in production

many thanks


New Member

Re: RA-VPN error: Duplicate Phase 1 packet detected

I have checked the error log.

What I have found for you:

Error Message %PIX|ASA-3-713902

Recommended Action It might be necessary to troubleshoot the configuration to determine the cause of the error. Check the ISAKMP and crypto map configuration on both peers.

You can also check if you can reach the peer.



New Member

Re: RA-VPN error: Duplicate Phase 1 packet detected

thanks Wouter

this is the config, there is also a bit for a site to site, that works, sorry for the delay.


interface Ethernet0/3

description *** Ultra Site-2-Site ***

nameif Ultra_Site-2-Site

security-level 0

ip address **********


access-list inside_nat0_outbound extended permit ip

access-list Ultra_Site-2-Site_cryptomap_20 extended permit ip

ip local pool affinitipool mask

route Ultra_Site-2-Site 1

route Ultra_Site-2-Site 1

group-policy affinitivpn internal

group-policy affinitivpn attributes

dns-server value

vpn-tunnel-protocol IPSec


username network password oAey6bUMeYJzmyZI encrypted privilege 15

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map affiniti_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map affiniti_dyn_map 40 set reverse-route

crypto map Ultra_Site-2-Site_map 20 match address Ultra_Site-2-Site_cryptomap_20

crypto map Ultra_Site-2-Site_map 20 set peer

crypto map Ultra_Site-2-Site_map 20 set transform-set ESP-3DES-SHA

crypto map Ultra_Site-2-Site_map 40 ipsec-isakmp dynamic affiniti_dyn_map

crypto map Ultra_Site-2-Site_map interface Ultra_Site-2-Site

isakmp enable Ultra_Site-2-Site

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 1800

isakmp nat-traversal 20

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

tunnel-group affinitivpn type ipsec-ra

tunnel-group affinitivpn general-attributes

address-pool affinitipool

default-group-policy affinitivpn

tunnel-group affinitivpn ipsec-attributes

pre-shared-key *

New Member

Re: RA-VPN error: Duplicate Phase 1 packet detected

for others who get this error.

it was actually a routing problem.

this RA-VPN wasn't on the outside interface, but on e0/3 so there wasn't a default route.

we needed to add specific routes to REAL ip address to connect.

the asa log is just saying that it's recieving the phase1 (but can't respond in the right direction.)

CreatePlease to create content